Rethinking Risk – Strategies for Today’s Changing Business Climate
In the aftermath of the recent financial industry crash, many firms have taken a fresh look at their risk management approach. The formal Enterprise Risk Management (ERM) systems in the financial services industry were considered the most sophisticated in the world. That these systems failed spectacularly is clear. What is less clear is what these failures mean for the evolution of risk management across a broad range of non-financial industry sectors. More recently, the giant oil surge into the Gulf of Mexico has raised additional fears about the risks of using advanced technologies in challenging environments such as deep-water drilling. These two major disasters have raised many questions about the ability of both businesses and government to effectively manage complex economic and technological risk.
Yet even before these dramatic events, forward-thinking companies were already feeling the need to rethink their risk management approach in order to more effectively respond to rapidly changing business conditions. Whereas many companies once manufactured standalone products or provided discrete services, today they must deliver constantly changing technology-enabled offerings that are closely integrated into global supply chains and ecosystems. These ever-changing and technology-driven demands are creating very different and much more pervasive business risks that call for very different organizational responses.
From an IT perspective, the need to rethink risk has also been increasing for some time. Even before the financial crash, notions of IT risk were beginning to shift away from the traditional focus on system integrity and security, toward safely supporting emerging business requirements such as smart products, global collaboration and empowered employees. Whereas IT used to support business processes, increasingly, IT functionality is the business process. Additionally, IT, and particularly the internet, continue to generate their own rapidly changing risks as businesses become ever more dependent on IT, even as the risks of malware, misuse and cyber-warfare continue to grow.
These emerging business and technological challenges have made the topic of risk management timely, but also complex and pervasive. In our Rethinking Risk research project, we have assessed the state of business/IT risk management today. First, we identified the lessons of the financial and oil spill disasters, as well as the new dangers coming from the internet. We then showed how companies are responding to these challenges, and how we see the topic of risk management evolving as business and technology become increasingly inseparable. The report concludes with a glimpse of some of the frontiers of advanced risk analysis, and some of the thinkers whose work we most admire. Below, we summarize two of our main findings: 1) the narrowing of the gap between business and IT, and 2) the pre-eminence of bottom-up cultural forces compared to formal risk management governance.